First For The Nation Coming From S.C.

Law for insurance companies regarding cybersecurity

South Carolina has become the first state in the nation to pass a cyberscurity law covering insurance companies who do business in the state.

Governor Henry McMaster signed the bill last week.

South Carolina Director of Insurance Ray Farmers said since 2014, more than 120 million United States citizens have had their personal health insurance information compromised due to security breaches at several large companies.

“It provides some consumer protection to further help safeguard that extremely important and private information,” he said. “It requires insurance companies to beef up their data security.”

Farmer said this law will be a model for other states to adopt as data security becomes an issue for every industry. He chaired the National Association of Insurance Commissioners Cybersecurity Working Group that drafted the law.

“South Carolina is now the first in the nation to pass a comprehensive data security insurance law,” Farmer said. “This sets South Carolina apart and shows we are dedicated to keeping insurance information safe. In this day where cybersecurity breaches are a real and ongoing threat it is best to take a proactive approach to protecting data before there is an issue, rather than trying to fix a breach once it has happened.”

Farmer said he worked on the law for more than two years.

“It takes it out of an I-T related issue to a board of directors issue and this requires someone to be reporting to the CEO and to the board of directors on data security, cybersecurity issues,” Farmer said.

“It requires a company, in an event they do have a breach, to notify the regulator, and in this case, the Department of Insurance, within 72 hours,” he said. “And at that point we can form a partnership with the company to see what we need to do to protect consumers, the citizens of this state.”

Farmer said the law sets protections for consumers, gives guidelines to companies and gives guidelines to regulators.

It creates rules for insurers, agents and other licensed entities covering data security, investigation and notification of breach. This includes maintaining an information security program based on ongoing risk assessment, overseeing third-party service providers, investigating data breaches and notifying regulators of a cybersecurity event. Other provisions that the new law provides include:•Protects consumer information: Safeguarding individual insurance policy holder’s personal information is a high priority in the wake of several major insurance companies’ data breaches.•Establish data security standards: Requires insurance companies to mitigate the potential damage of a data breach. The law applies to insurers, insurance agents and other entities licensed by the SC Department of Insurance.•Strong protection & quick reaction: Requires insurance companies to develop, to implement and to maintain a secure information

“The United States Department of Treasury has commended the regulators for developing the model bill and has encouraged every state to adopt it and to adopt it within the next several years,” he said.

All insurance companies doing business in South Carolina will have to comply with the law.

“I think this a great victory for the consumers of this state, to know that there is additional attention being paid to safeguard their personal identifiable health information or personal identifiable information in general that an insurance company has from our consumers,” Farmer said.